Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

2016-08-09 Thread Tony Arcieri 
It's also worth noting that BERserk is one of many such incidents of this
coming up in practice:
https://cryptosense.com/why-pkcs1v1-5-signature-should-also-be-put-out-of-our-misery/

On Tue, Aug 9, 2016 at 2:13 PM, Tony Arcieri  wrote:

> On Tue, Aug 9, 2016 at 7:16 AM, Martin Rex  wrote:
>
>> BERserk is an implementation defect, not a crypto weakness.
>>
>
> Hence why I phrased the question the way I did. Per Izu, Shimoyama, and
> Takenaka 2006, PKCS#1 v1.5 has sharp edges which implementers must avoid
> (of course, the same can be said of BER in BERserk, and it was clearly the
> bigger of the two problems).
>
> Peter Gutmann's response was the sort of thing I was looking for when I
> originally asked the question.
>
> --
> Tony Arcieri
>



-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

2016-08-09 Thread Tony Arcieri 
On Tue, Aug 9, 2016 at 7:16 AM, Martin Rex  wrote:

> BERserk is an implementation defect, not a crypto weakness.
>

Hence why I phrased the question the way I did. Per Izu, Shimoyama, and
Takenaka 2006, PKCS#1 v1.5 has sharp edges which implementers must avoid
(of course, the same can be said of BER in BERserk, and it was clearly the
bigger of the two problems).

Peter Gutmann's response was the sort of thing I was looking for when I
originally asked the question.

-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] early IANA code point assignment request for draft-ietf-tls-ecdhe-psk-aead

2016-08-09 Thread Sean Turner 
All,

We've received a request for early IANA assignments for the 6 cipher suites 
listed in https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/.  
Please respond before August 23rd if you have concerns about early code point 
assignment for these cipher suites. 

J
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

2016-08-09 Thread Martin Rex 
Tony Arcieri wrote:
[ Charset UTF-8 unsupported, converting... ]
> On Monday, August 8, 2016, Martin Rex  wrote:
> >
> > The urban myth about the advantages of the RSA-PSS signature scheme
> > over PKCS#1 v1.5 keep coming up.
> 
> Do you think we'll see real-world MitM attacks against RSA-PSS in TLS
> similar to those we've seen with PKCS#1v1.5 signature forgery, such as
> BERserk?

BERserk is an implementation defect, not a crypto weakness.

-Martin

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls